[Mailman-Developers] Who is the "site administrator"?

[Stephen J. Turnbull]

Andrew Stuart writes:

 > Right now I’m aiming for super simple.

This worries me.  Nothing in security is simple (except for the
"Orange Book" and "RMS" models: the former being "it can't be attacked
if you don't plug it in" and the latter being "password communism" a
la Stallman).

At present, we just don't much care because historically the
subscriber database and archives rarely required much if any security,
and when such security was needed we simply did a "deny all" except
for root on the server, which of course was a single host.

But with the advent of DMARC (and the "4/14 Debacle" at Yahoo! and
AOL), I suspect that the price of "known good" address lists is rising
in the underworld, and there will be attacks on Mailman security just
to get addresses.  We're also trying to make it easier to access and
mutate enterprise databases through the Mailman APIs.  That could make
Mailman a vector for attacks on those databases.

 > As it turns out, the core doesn't have a lot of need for this,
 > which is another reason I've so far resisted tightly integrating it
 > with the core.

I'm afraid that is changing, Mr. General FLUFL Sir.  The core is
concerned with mail distribution, which historically has been the
no-security SMTP protocol.  If your core product *can't* be secure, I
would expect that you have little need for security, and what security
you do need can be implemented simply by hiding everything else in a
server on a single host with only root access to anything.  Especially
with the various expanded roles that are already appearing in
Postorius and HyperKitty, is that going to be true going forward?

Of course in current Mailman practice, all this is FUD.  But the fear
is real, even if the threats are (so far) unrealized.  And of course
the cost of a flexible and tight security model is high, both in
design effort and in complexity of the resulting system.